[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: ietf-sasl@xxxxxxx
Subject: Re: Security
From: "Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>
Date: Wed, 13 Aug 2008 20:03:01 +0200
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Organization: <http://purl.net/xyzzy>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx><45F856F1.2B56@xxxxxxxxxxxxxxxxx><19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx><87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx><57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx><87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <tslej4thudg.fsf@xxxxxxx><87r68slwh1.fsf@xxxxxxxxxxxxxxxxxxx> <tslljz0ho2m.fsf@xxxxxxx>
Reply-to: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Sam Hartman wrote:

> we should not recommend it.

The draft is very clear about that, maybe even on the
wrong side of the border to exaggeration.

To take another example, just because RFC 862 is also
known as STD 20 doesn't mean that starting echo servers
is "recommended".  

It means "IFF you do that here is how this works since
25 years":  mature + interoperable != recommended.

Similar, the POP3 standard (STD 53) doesn't imply that
folks better stay away from IMAP (not a STD).  Quite
the contrary it is a point of POP3 that there will be
no additional (= unnecessary) features.

Ditto RFC 3986 (URIs, STD 66) vs. 3987 (IRIs, not yet
as mature as URIs).

> If people want to update digest-md5 on the standards
> track, I will not stand in their way.  I personally
> don't think it worth doing.

<shrug />  Alexey's drafts were near to ready from my
POV, but "squeeze more features into a SASL mechanism
already suffering badly from far too many features" was
no good idea.  

Splitting it into a "+" version with a new name was an
idea.  The current standardization situation is again
strange:  RFC 2617 and 2831 are almost identical, 2831
is slightly better (wrt i18n), the better version will
be deprecated, keeping a less capable RFC 2617 (or its
successor).  

But I'm not going to appeal the DIGEST-MD5 decision,
actually its featurism and implementation difficulties
are the reason why I defend the far simpler CRAM-MD5.

 Frank

Follow-Ups:
- Re: Security
  - From: Sam Hartman

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman

Prev by Date: Re: Security
Next by Date: RE: Security
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread